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Abstract. A barrier certificate is an inductive invariant function which 
can be used for the safety verification of a hybrid system. Safety veri- 
fication based on barrier certificate has the benefit of avoiding explicit 
computation of the exact reachable set which is usually intractable for 
nonlinear hybrid systems. In this paper, we propose a new barrier cer- 
tificate condition, called Exponential Condition, for the safety verifica- 
tion of semi-algebraic hybrid systems. The most important benefit of 
Exponential Condition is that it has a lower conservativeness than the 
existing convex condition and meanwhile it possesses the property of 
convexity. On the one hand, a less conservative barrier certificate forms 
a tighter over-approximation for the reachable set and hence is able to 
verify critical safety properties. On the other hand, the property of con- 
vexity guarantees its solvability by semidefinite programming method. 
Some examples are presented to illustrate the effectiveness and practi- 
cality of our method. 

Keywords: inductive invariant, barrier certificate, safety verification, 
hybrid system, nonlinear system, sum of squares 



1 Introduction 

Hybrid systems [5j, [lj are models for those systems with interacting discrete and 
continuous dynamics. Embedded systems are often modeled as hybrid systems 
due to their involvement of both digital control software and analog plants. 
In recent years, as embedded systems are becoming ubiquitous, more and more 
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researchers are devoted to the theory of hybrid systems. Reachability problems or 
safety verification problems are among the most challenging problems in verifying 
hybrid systems. The aim of safety verification is to decide that starting from an 
initial set, whether a continuous system or hybrid system can reach an unsafe set. 
For this purpose, many methods have been proposed for various hybrid systems 
with different features. 

Deductive methods based on inductive invariant play an important role in 
safety verification of hybrid systems. An inductive invariant of a hybrid system is 
an invariant ip that holds at the initial states of the system, and is preserved by 
all discrete and continuous transitions. A safety property is an invariant ip (usu- 
ally not inductive) that holds in all reachable states of the system. The standard 
technique for proving a given property ip is to generate an inductive invariant cp 
that implies ip. Therefore, the problem of safety verification is converted to the 
problem of inductive invariant generation and hence avoid the reachability com- 
putation of the hybrid system. The key points in generating inductive invariant 
for hybrid systems is how to define an inductive condition that is the least con- 
servative and how to efficiently compute the inductive invariant that satisfies the 
inductive condition. Usually, these two aspects contradicts with each other, that 
is, an inductive condition with sufficiently low conservativeness often encounters 
the computability or complexity problem. For different class of hybrid systems, 
various inductive invariants and computational methods have been proposed. 

Some methods were primarily proposed for constructing inductive invariant 
for linear hybrid systems [6], [16J. In recent years, however, researchers concen- 
trate more and more on nonlinear hybrid systems, especially on algebraic or 
semi-algebraic hybrid systems (i.e. those systems whose vector fields are poly- 
nomials and whose set descriptions are polynomial equalities or inequalities), 
as they have a higher universality. In [18J, [17J, Sankaranarayanan et al. pre- 
sented a computational method based on the theory of ideal over polynomial 
ring and quantifier elimination for automatically generating algebraic invariants 
for algebraic hybrid systems. Similarly, Tiwari et al. proposed in [23J a technique 
based on the theory of ideal over polynomial ring to generate the inductive in- 
variant for nonlinear polynomial systems. In [14], [13], S. Prajna et al. proposed 
a new inductive invariant called Barrier Certificate for verifying the safety of 
semialgebraic hybrid systems and the computational method they applied is the 
technique of sum-of-squares decomposition of semidefinite polynomials. In [19], 
C. Sloth et al. proposed a new Barrier Certificate for a special class of hybrid 
systems which can be modeled as an interconnection of subsystems. In |12| , A. 
Platzer et al. proposed the concept of Differential Invariant which is a boolean 
combination of multiple polynomial inequalities for verifying semialgebraic hy- 
brid systems. In [4J, S. Gulwani et al. proposed an inductive invariant similar 
to Differential Invariant except that they defined a different inductive condition 
and they used SMT solver to solve the inductive invariant. In [22J, A. Taly et al. 
discussed the soundness and completeness of several existing invariant condition 
and presented several simpler and practical invariant condition that are sound 
and relatively complete for different classes of inductive invariants. In [21J, A. 



Taly et al. proposed to use inductive controlled invariant to synthesize multi- 
modal continuous dynamical systems satisfying a specified safety property. 

In this paper, we propose a new barrier certificate (called Exponential Con- 
dition) for the safety verification of semialgebraic hybrid systems. A barrier 
certificate is a special class of inductive invariant for the safety verification of 
hybrid systems: a function <p(x) which maps all the states in the reachable set 
to non-positive reals and all the states in the unsafe set to positive reals. Given 
a dynamical system S with dynamics x — f(x) with initial set Init, to prove 
a safety property P (we use X u to denote the unsafe set) is satisfied by S, the 
basic idea of Exponential Condition is to identify a function tp(x) such that 1) 
(f(x) < for any point x G I nit, 2) ip(x) > for any point x G X u , and 3) 
Cf(p(x) < \(p(x), where Cf(p(x) = §f /(#) is the Lie derivative of ip with respect 
to the vector field / and A is any negative constant real value. The first con- 
dition and the third condition together guarantee that (p(x) < for any point 
x in the reachable set R, which implies that R D X u = 0. Therefore, we can 
assert that the safety property P is satisfied by the system M as long as we 
can find a function <p(x) satisfying the above condition. The above condition can 
be extended to semialgebraic hybrid systems naturally. The idea is to identify 
a set of functions {(fi(x)}, one for each mode of the hybrid system, which not 
only satisfy the above condition but also satisfy an additional sign-preserving 
constraint for each discrete transition. 

The most important benefit of Exponential Condition is that it is less conser- 
vative than Convex Condition [14J and Differential Invariant [12J, where the Lie 
derivative of <p(x) is required to satisfy that Cf(p(x) < (a stronger condition 
than Cf(p(x) < \ip(x)), and meanwhile, it possesses the property of convex- 
ity as well. On the one hand, a less conservative inductive invariant forms a 
tighter over-approximation for the reachable set and hence is able to verify criti- 
cal safety properties (i.e., the unsafe region is very close to reachable region). On 
the other hand, a convex inductive invariant condition can be solved efficiently 
by semidefinite programming method, which is widely used for computing Lya- 
punov functions in the stability analysis of nonlinear systems. In fact, there 
exist some other less conservative inductive invariants than Exponential Condi- 
tion, such as [H], [1], [22], however, these inductive conditions are not convex 
and thus cannot be solved by semidefinite programming method. Instead, they 
are usually solved by quantifier elimination and SMT solver, which usually has a 
much higher computational complexity than semidefinite programming method. 

Given a semialgebraic hybrid system, we choose a set of polynomials of 
bounded degree with unknown coefficients as the candidate inductive invariant, 
and then we obtain a set of positive semidefinite polynomials (i.e. P(x) > 0) ac- 
cording to Exponential Condition. Therefore, the generation of barrier certificate 
based on Exponential Condition can be transformed to the problem of sum-of- 
squares programming of positive semidefinite polynomials [20J, [15J. Based on 
our theory, we develop an algorithm for generating the inductive invariant satis- 
fying Exponential Condition. Experiments on both nonlinear systems and hybrid 
systems show the effectiveness and practicality of our method. 



The remainder of this paper is organized as follows. Section [2] introduces the 
preliminaries of our method. Section [3] presents the barrier certificate conditions 
for continuous systems and hybrid systems. Section [4] introduces the computa- 
tional method we use to construct barrier certificates according to the barrier 
certificate conditions. Section [5] gives some examples to demonstrate the appli- 
cation of our method to the safety verification of continuous and hybrid systems. 
Finally, we conclude our work in Section [6j 

2 Preliminaries 

In this paper, we adopt the model proposed in |3J as our modeling framework. 
Many other models for hybrid system can be found in [10J, [9j, [lj. 
A continuous system is specified by a differential equation 

x = f{x) (1) 

where x G W 1 and / is a Lipschitz continuous vector function from R n to R n . 
Note that the Lipschitz continuity guarantees the existence and uniqueness of 
the solution x(t) to the system 0. A hybrid system can then be defined as: 

Definition 1. (Hybrid System) A hybrid system is a tuple % = (L, X, E, R, G, 

7, F) , where 

— L is a finite set of locations (or modes); 

— X C R n is the continuous state space. The hybrid state space of the system 
is denoted by X = L x X and a state is denoted by (l,x) G X; 

— E C L x L is a set of discrete transitions; 

— G : E 2 X is a guard mapping over discrete transitions; 

— i? : £ x I 4 2 X is a reset mapping over discrete transitions; 

— I : L 2 X is an invariant mapping; 

— f : L 4 (I 4 I) is a vector field mapping which assigns to each location I 
a vector field f . 

The transition and dynamic structure of the hybrid system defines a set of 
trajectories. A trajectory is a sequence starting from a state (Zq, #o) £ where 
Xq C X is an initial set, and consisting of a series of interleaved continuous 
flows and discrete transitions. During the continuous flows, the system evolves 
following the vector field F(l) at some location I G L until the invariant condition 
7(7) is violated. At some state (/, x), if there is a discrete transition (MO £ E such. 
that (l,x) G G(/,/ / ) (we write G(/,/ / ) for G((/,/ / ))) 7 then the discrete transition 
can be taken and the system state can be reset to R(l,l',x). The problem of 
safety verification of a hybrid system is to prove that the hybrid system cannot 
reach an unsafe set X u from an initial set Xq. 

An important concept used in this paper is the Lie derivative. In our context, 
the Lie derivative evaluates the change of a scalar function (p(x) along the flow 
of a vector field f(x) = (/i(x), • • • , f n {x)). Formally, 

i=l 



Some other notations that are used in this paper are presented here. R de- 
notes the real number field. C 1 (M n ) denotes the space of 1-time continuously 
differentiate functions mapping X C R n to R. M[x] denotes the polynomial ring 
in x over the real number field and R[x] m denotes the m-dimensional polynomial 
vector space over M[x\. M T denotes the transpose of the matrix M. 



3 Conditions for Constructing Barrier Certificates 

3.1 Barrier Certificate Condition for Continuous Systems 

Given a continuous system 5, an initial set Xo and an unsafe set X n , a barrier 
certificate is a real- valued function cp(x) of states satisfying that <p(x) < for any 
point x in the reachable set R and ip(x) > for any point x in the unsafe set X u 
(called General Constraint hereafter). Therefore, if there exists such a function 
(p(x), we can assert that R D X u = 0, that is, the system can not reach a state 
in the unsafe set from the initial set. However, the exact reachable set R is not 
computable for most hybrid systems, we cannot decide directly whether ip(x) < 
holds for all the points in R. Therefore, various alternative inductive conditions 
that are equivalent to or sufficient for General Constraint are proposed. In what 
follows, we present a new barrier certificate which is a sufficient condition for 
General Constraint. 

Consider a continuous system C specified by the differential equation 0, we 
assume that X (C X), X u are the initial set and the unsafe set respectively. 
Then, we have the following theorem as a barrier certificate condition. 

Theorem 1 (Exponential Condition). Given the continuous system ([I]) and 
the corresponding sets X, X and X u , for any given A G M, if there exists 
a barrier certificate, i.e, a real-valued function cp(x) G C 1 (IR n ) satisfying the 
following formulae: 

Vx G X : cp(x) < (2) 
Vx G X : C f <p(x) - \<p(x) < (3) 
\/x G X u : y(x) > (4) 

then the safety property is satisfied by the system ([T]) . 

Proof. Suppose xo G Xo and x(t) be the corresponding particular solution of 
the system ([!). We aim to prove that for any function (f(x(t)) satisfying the 
formulae ([2|-(4|, the following formula holds: 

VC > : ^Or(C)) < 0. (5) 

Let g(x) = Cfip(x) — \tp(x), then by ^ 

Vx G X : g(x) < (6) 



Since ^M^l) = = ^f(x) = Cf(p(x), we have the differential equation 

about (p(x(t)) 

,<p{x(0)) = <p(x ) {> 
By solving the differential equation ([7]), we have following the solution: 

¥>(*(*)) = ( / (ff(a;(r))e- A ^T + <^ ))e A <. (8) 

By ([6]), we have 

/ (g(x(r))e- XT dr < 0. (9) 
then by ([9| and ^(xq) < 0, we finally have 

<p(x(t)) < (p(x )e xt < 0. (10) 

Hence, for any ( > 0, cp(x(()) < holds. □ 

Remark 1. The formulae Q and Q ensure that the barrier separates the initial 
set Xq from the unsafe set X u , and the formula ^ ensures that system trajec- 
tories cannot escape from inside of the barrier. These conditions together imply 
that (f(x) < is an inductive invariant of the system ([I]). 

From another point of view, the semi-algebraic set {x G M n |(/?(x) < 0} forms 
an over-approximation for the reachable set of the system 0, and the zero level 
set of the function (p(x) (i.e., {x G M n |(/?(x) = 0}) forms the boundary of the 
over-approximation. In order to be less conservative, we hope the boundary of 
the over-approximation encloses the reachable set {x(t)\x(0) G Xq,x = f(x),t G 
R + } as tightly as possible, in other words, to make the upper-bound of (f(x(t)) 
approach zero as closely as possible. According to the above proof (i.e., (flQj) ) ? the 
scope over which the function cp(x(t)) can range depends closely on the value of 
the parameter A: the less value the A is, the closer the upper-bound of the scope 
that (p(x(t)) can reach is to zero (see Fig. [I]). Roughly speaking, the values of 
A are divided into three classes according to the conservativeness of the barrier 
certificate condition: 

— A = 0. In this case, the formula ([3| is degenerated to §^/(#) < 0, which 
is the case of Convex Condition. This condition implies that the value of 
cp(x(t)) will never get close to zero over time t. Thus, the condition is very 
conservative. 

— A < 0. In this case, we know that 1) cp(x(t)) < (p(xo)e xt < 0, and 2) |^ f(x) < 
X(p(x) > 0. These two inequalities together imply that the value of ip(x(t)) 
can increase over the time t but never get across the upper bound 0, provided 
that cp(x(0)) < at the beginning. 

— A > 0. In this case, §f /(#) < \ip(x) < 0, which means that the value 
of (p(x(t)) get far away from 0. Apparently, the condition is much more 
conservative than the first case. 



Fig. 1. Dependency of Barrier Certificate Condition on A. As the value of A decreases 
(e.g. from 1/4 to —3), the upper-bound of the value of ip(x(t)) approaches to zero, 
which means the barrier certificate condition becomes less conservative 

Therefore, as long as we let A < 0, we can get less conservative barrier certificate 
conditions than Convex Condition. Note that Exponential Condition is convex as 
well and its convexity can be easily proved by verifying that for any two functions 
ipi(x) and (f2(x) satisfying the formulae Q-Q and any with < 9 < 1, 
(p(x) = Ocpi(x) + (1 — 9)(f2(x) satisfies the formulae Q-Q as well. Based on 
this fact, we can convert the problem of constructing barrier certificate into the 
problem of convex optimization which we will discuss in Section [4] 

In addition, as a generalization of Convex Condition, Differential Invariant 
is basically as conservative as Convex Condition. Here we present informally an 
explanation on this point. The differences in their definitions include mainly two 
aspects: 

1. invariant template: Convex Condition employs a single inequality p(x) < 
as the invariant template while Differential Invariant employs a conjunction 
f\iLi Qi( x ) •>£ r i( x )i where >i denotes a connective in {=, >, >, <, <}. 

2. inductive condition: Convex Condition employs Cf(p) < as the inductive 
condition while Differential Invariant employs the conjunction AHi £fQi 
CfTi, which results from applying the Lie derivative to each of the conjunct s 
in the invariant template respectively. 

Note that each conjunct of a Differential Invariant is still an inductive invariant 
by itself, which is named Sub- Differential- Invariant here. Based on the above def- 
inition, we can easily prove that every Sub- Differential- Invariant qi(x) >i ri{x) 
satisfies Convex Condition. For example, suppose we have a Sub -Differential- 
Invariant qi(x) > ri(x) and the corresponding inductive condition Cfqi > CfVi, 
let p(x) = ri(x) — qi(x), then we can obtain an equivalent inductive invariant 
p(x) < and the corresponding inductive condition Cfp = Cfqi — CfVi < 0, 



which implies p(x) < and Cfp < hold. Therefore, the Sub -Differential- 
Invariant qi(x) > ri(x) satisfies Convex Condition. Similarly, all the other 
cases of qi(x) \>i ri{x) can be proved to satisfy Convex Condition. Hence, Sub- 
Differential- Invariant is no less conservative than Convex Condition. By taking 
a conjunction of multiple Sub- Differential Invariants, Differential Invariant ac- 
tually enhances the ability to over- approximate complex-shaped reachable sets. 
However, this does not overcome the drawback that no trajectory of the sys- 
tem can move towards the boundary of the over-approximation formed by a 
Differential Invariant. Therefore, in this sense, we say that Differential Invari- 
ant is basically as conservative as Convex Condition and consequently is more 
conservative than Exponential Condition. 

In the following subsection, we extend the barrier certificate condition for 
continuous systems to hybrid systems. 

3.2 Barrier Certificate Condition for Hybrid Systems 

Different from the barrier certificate for a continuous system, the barrier cer- 
tificate for a hybrid system consists of a set of functions {cpi(x)\l G L}, each 
of which corresponds to a discrete location of the system and forms a barrier 
between the reachable set and the unsafe set at that individual location. For 
each function <pi{x) at location Z, in addition to defining constraints for the con- 
tinuous flows, the barrier certificate conditions have to take into account all the 
discrete transitions starting from location Z to make the overall barrier certificate 
an inductive invariant. Formally, we define the barrier certificate condition for 
hybrid systems as the following theorem. 

Theorem 2 (Hybrid-Exp Condition). Given the hybrid system % = (L,X, 
E, R, G, I, F), the initial set X§ and the unsafe set X u ofH, then, for any given 
set of constant real numbers S\ = {A^ G R|Z G L} and any given set of constant 
non-negative real numbers 5 7 = {7^/ G M + 1 (Z, Z 7 ) G E}, if there exists a set of 
functions {(pi(x)\cpi(x) G C 1 (IR n ),Z G L} such that, for all I G L and (Z,Z') G E, 
the following conditions hold: 



where I nit (I) and Unsafe(l) denote respectively the initial set and the unsafe 
set at location I, then the safety property is satisfied by H. 

Proof To prove this theorem, it is sufficient to prove that given any trajectory, 
say 7r, of the system it cannot reach an unsafe state. Suppose the infinite time 
interval R + associated with tt is divided into an infinite sequence of continuous 
time subintervals, i.e., R + = U^Lo 7 n , where I n = {t G R+|t n < t < £ n +i} is 
the time interval that the system spent at location p(I n ) (where p(I n ) returns 



Vx G I nit (I) : (fi(x) < 

Va;G/(Z) :C fl ipi(x)-\ m (x) <0 

Vx G G(Z,Z / ),Vx / G R((lil')ix) : lw yi(x) - <p v (x') > 

\/x G Unsafe(l) : ipi(x) > 



(ii) 

(12) 

(13) 
(14) 



the location corresponding to J n ), we define the trajectory as tt = {x p (i n )(t)\t G 
i n ,n G IN}, where # p (/ )(to) G Init(p(Io)). Then, our objective is to prove the 
following assertion: 

Vn G IN : Vt G J n : ^(/ n )(x p(Jn) (t)) < 0. (15) 

The basic proof idea is by induction. 

Basis: n = 0. According to Theorem [TJ it's obvious that 

VtGlo : <Pp(i )(xp(i )(t)) <0 

Induction: n = k. Assume for some k, 

Vn G [0, k] : Vt G I n : ^ p( / n )(a: p(/n) (t)) < 

we mean to prove that 

Vt G 4+i : ^(J fe+1 )(^(J fe+ i)W) < 
Case 1. (Discrete Transition) By the inductive assumption, we know that 
Vt G I k : Vp(i h )(x p {i h ){t)) < 



Vt E Ik : x(t) G G(p(I k ),p(I k+1 )) => <p p (i h )(x(t)) < 



hence 



According to condition (|13j), we know that ^p(/ fc+1 )(^p(/ fc+1 )(tfc+i)) < 0. 

Case 2. (Continuous Transition) According to Case 1 and condition (12), we 
can conclude that Vt G I k +i : ^ P (J fe+1 ) (^ P (/ fc+1 ) W) < by Theorem [l] 

By induction, we know that the assertion ([l5| holds. Therefore, the safety 
property is guaranteed. □ 



Informally, the formulae (11), (12) and (14) together ensure that at each 



location I G L, the system never evolves into an unsafe state continuously. The 



formula (13) ensures that the system never jumps from a safe state to an unsafe 



state discretely. By induction, the formulae (11)-(14) together guarantee the 
safety of the system. 

Remark 2. The selection of the parameter set S\ is essential to the conserva- 
tiveness of the barrier certificate conditions. As discussed in Subsection |3.1[ by 
setting all the elements of S\ to 0, we can derive Convex Condition for hybrid 
systems. However, Convex Condition is too restrictive to be useful for hybrid 
systems. For example, see the hybrid system in Fig. [2j there is a reset operation 
x = x r (which is often the case) at the transition (Z2, h). Assume there exists a 
barrier certificate {(f^ (x), <pi 2 (x)} if we set all the elements of S\ to and (with- 
out loss of generality) set all the elements of S 7 to 1, then for any trajectory 
containing at least two times of the transition (Z2, Zi), one at time instant t\ and 
another at t\ < respectively, we can assert that yi<X x iit^) > ^Pii{, x iit 2 ) 




Guard 21 — > x := x r 



Fig. 2. A hybrid system without barrier certificate satisfying Convex Condition. 

according to Theorem [2j this contradicts with xi ltl — xi lt2 = x r , that is, the 
barrier certificate satisfying Convex Condition does not exist no matter what 
the unsafe set is. Therefore, in order to make the barrier certificate condition 
less conservative, we try to choose negative values for Xi G S\ and theoretically: 
the less, the better. However, in practice, the optimal domain for A may depend 
on the specific computational method. For example, the interval [—1,0) appears 
to be optimal and not too sensitive in-between for the semidefinite programming 
method used in this paper. 

The selection of S 7 is relatively simple. We usually set all of its elements to 
1 except for the discrete jumps with a reset operation that is independent of the 
pre-state of the jump, for which we usually set to 0. 

4 Construction Method for Barrier Certificate 

Constructing inductive invariants for general hybrid systems is very hard. For- 
tunately, for some existing inductive conditions, several computational methods 
are available for semialgebraic hybrid systems. The most representative methods 
include the fixed-point method based on saturation [12J, the constraint-solving 
methods based on semidefinite programming [13J and quantifier elimination [4] 
and the Grobner-bases method [23J, [17J. Similar to Convex Condition, Expo- 
nential Condition defines a convex set of barrier certificate functions as well and 
hence can be solved by semidefinite programming method supposing the hybrid 
system is semialgebraic and the barrier certificate function (p(x) is a polynomial. 

In our computational method, a barrier certificate is assumed to be a set 
<P = {(pi(x)\l G L} of multivariate polynomials of fixed degrees with a set of 
unknown real coefficients. According to the constraint inequalities in Theorem [T] 
or Theorem [2j we can obtain a set of positive semidefinite (PSD) polynomials 
Q = {Qi\Qi(x) > 0,deg(Qi) = 2n, x G R n ,n G IN}, where deg(-) returns the 
degree of a polynomial. Note that a polynomial Q(x) of degree 2k is said to be 
PSD if and only if Q(x) > for all x G W 1 . Thus, our objective is to find a set 
of real-valued coefficients for tpi G <P to make all the Qi G Q be PSD. 

A famous sufficient condition for a polynomial P(x) of degree 2k to be PSD 
is that it is a sum-of-squares (SOS) P(x) = ^2qi(x) 2 for some polynomials qi(x) 
of degree k or less |8J. Furthermore, it is equivalent to that P(x) has a positive 
semidefinite quadratic form, i.e., P(x) = v(x)Mv(x) T , where v(x) is a vector 
of monomials with respect to x of degree k or less and M is a real symmetric 



PSD matrix with the coefficients of P(x) as its entries. Therefore, the problem 
of finding a PSD polynomial P(x) can be converted to the problem of solving a 
linear matrix inequality (LMI) M >z [2j, which can be solved by semidefinite 
programming [llj. 

In our work, we extend SOSTOOLS based on the theory in this paper to 
implement an algorithm for discovering barrier certificate automatically. 



4.1 Sum-of-squares Transformation for Continuous System 

In order to be solvable for the barrier certificate condition by SOS programming, 
we need to restate it with multivariate polynomials. In this context, we assume 
that all the state sets involved in the condition are semialgebraic, that is, they can 
be written as {x G R n \Pi(x) > 0,...,P m (x) > 0,Pi(x) G R[x],l < i < m}). For 
convenience, we write it compactly as {x G M. n \V(x) > 0,V(x) G IR[x] m }, where 
V(x) = (Pi (x) , P2 (x) , ...,P m (x)). In addition, each dimension of the vector field 
f(x) and the barrier certificate function <p(x) are all polynomials in M[x\. Based 
on the previous assumption, we present the sum-of-squares transformation of 
Exponential Condition for continuous systems as the following corollary. 

Corollary 1. Given the continuous polynomial system and the initial set 
X = {x G R n \I (x) > 0,/ (» e R[x] r } and the unsafe set X u = {x G 
R n |/7(x) > 0, U(x) G M[x] s } ; where r and s are the dimensions of the poly- 
nomial vector spaces, for any A G R and any real number e > 0, if there exists 
a polynomial function (p(x) G M[x] and two SOS polynomial vectors (i.e., ev- 
ery element of the vector is a SOS polynomial) /i(x) G H[x] r and rj(x) G 
satisfying that the following polynomials 

- <p(x) - fjb(x)I (x) (16) 
-C f <p(x) + \<p(x) (17) 
<p(x) -r](x)U(x)-e (18) 

are all SOS5 ; then the safety property is satisfied by the system ([!]). 

Proof. It is sufficient to prove that any cp(x) satisfying (fl6|)-([T8|) also satisfies 
Q-Q. By ( fl6] ) ? we have —ip(x) - fjb(x)I Q (x) > 0, that is, ip(x) < -fi(x)I (x). 
Because for any x G Xo, — /j,(x)Iq(x) < 0, this means ip(x) < 0. Similarly, we 
can derive (|3| from (17). By (18), it's easy to prove that ip(x) — e > holds for 



any x G X u . Since e is greater than 0, then the condition Q holds. Therefore, 
the system is safe. □ 



Remark 3. Since the polynomials (16)-(18) are required to be 505s, each of 
them can be transformed to a positive semidefinite quadratic form v(x)Miv(x) T , 
where Mi is a real symmetric PSD matrix with the coefficients of <p(x), ji(x) and 
rj(x) as its variables. As a result, we obtain a set of LMIs {Mi >z 0} which can 
be solved by semidefinite programming. 



Algorithm 1: Computing Barrier Certificate for Continuous System 
Input: /: array of polynomial vector field; Jo- array of polynomials defining Xo; 

U: array of polynomials defining X u 
Output: ip: barrier certificate polynomial 
Variables : A: a real negative value; d: degree of ip 

Constants: A: array of candidate values for A; e: a positive value; dMin, 

dMax: the minimal degree and maximal degree of cp to be found 

1 Initialize. Set A to a set of negative values between —1 and 0; Set e to a small 
positive value; Set dMin and dMax to positive integer respectively; 

2 Pick A and d. For each A G A and for each d from dMin to dMax, perform step 
3f|7 until a barrier certificate is found; 



ecide the degree of fi(x) and n(x) according to d. To be SOSs for both (16) 



and (18), at least one of the degrees of fi(x)Io(x) and n(x)U(x) is greater than 
or equal to the degree of (p(x); 

Generate complete polynomials (p(x), /jl(x) and rj(x) of specified degree with 
unknown coefficient variables; 



Eliminate the monomials of odd top degrees in (16)-(18), /jl(x) and n(x), 
respectively To be a SOS, a polynomial has to be of even degree. Concretely let 
the coefficients of the monomials to be eliminated be zero to get equations 
about coefficient variables and then reduce the number of coefficient variables 
by solving the equations and substituting free variables for non-free variables in 
all the related polynomials; 

Perform the SOS programming on the positive semidefinite constraints 



(16]-([l8t and fi(x), rj(x); 

Check if a feasible solution is found, if not found, continue with a new loop; 
else, check if the solution can indeed enable the corresponding polynomials to 
be SOSs, if so, return (p(x); else, for all the polynomials in the programming, 
eliminate all the monomials whose coefficients have too small absolute 
values (usually less than 10 -5 ) by using the same method as step [5] then go to 
step [6] unless an empty polynomial is produced; 



We use Algorithm [T]to compute the desired barrier certificate. In the algo- 
rithm, we first choose a small set of negative values A as a candidate set for A 
and an integer interval [dMin, dMax] as a candidate set for degree d of (p(x). 
Then, we attempt to find a barrier certificate satisfying the conditions (16)-([l8|) 



for a fixed pair of A and d until such one is found. Theoretically, according to 
the analysis about the dependence of conservativeness of barrier certificate on 
the value of A, we should set A to as small negative value as possible. How- 
ever, experiments show that too small negative numbers for A often lead the 
semidefinite programming function to numerical problems. In practice, the neg- 
ative values in the interval [—1,0) are good enough for A to verify very critical 
safety properties. Note that the principle for step [3] in Algorithm 1 is that if 
(f(x) has a dominating degree in both polynomials, there couldn't exist a so- 
lution that make both polynomials be SOSs because —ip(x) and <p(x) occur in 
(TlGj) and (18) simultaneously. The motive for eliminating the monomials with 



small coefficients in step [7] is from the observation that those monomials are 



usually the cause of the failed SOS decomposition for the polynomials when the 
semidefinite programming function gives a seemingly feasible solution. 

The idea for constructing barrier certificates for continuous systems can be 
easily extended to hybrid systems. We describe it in the following subsection. 

4.2 Sum-of-squares Transformation for Hybrid System 

Similar to continuous system, in order to be solvable by semidefinite program- 
ming, we need to limit the hybrid system model in Section [2] to semialgebraic 
hybrid system. 

Consider the hybrid system H = (L, X, E, i?, G, /, F), where the mappings 
F, R, G, / of H are defined with respect to polynomial inequalities as follows: 



and the mappings of the initial set and the unsafe set are defined as follows: 

- Init :l^{x e R n \lmt l (x) > 0,lnit z (x) G R[x] Sl } 

- Unsafe : I H> {x G R n \ Unsafe; (» > 0, Unsafe; (» G R[x] tl } 

where pn> , qw, si and t\ is the dimension of polynomial vector space. Then 
we have the following corollary for constructing barrier certificate for the semi- 
algebraic hybrid system H. 

Corollary 2. Let the hybrid system H and the initial state set mapping Init and 
the unsafe state set mapping U nsafe be defined as the above. Then, for any given 
set of constant real numbers S\ = {Xi G M|Z G L} and any given set of constant 
non-negative real numbers S 7 = {ju> G V) G E} ,and any given small real 

number e > 0, if there exists a set of polynomial functions {(fi(x) G M[x]\l G L} 
and five sets of SOS polynomial vectors {fii(x) G R[x] Sz |/ G L}, {6i(x) G 
R[x] ri \l G L], {k w (x) G R[x]P"'\(l,l') G E} , {cr w (x) G R[x\«"'\(l,V) G E} and 
{rji(x) G IR[x] tz |/ G L}, such that the polynomials 



are SOS s for all I G L and (/, V) G E, then the safety property is satisfied by the 
system H. 



F fi(x) 

G : (/,/') ^ {x G R n \G w (x) > 0,G w (x) G R[x]*>»'} 
R:(l,l',x)H> W eR n \R Wx (x')> 0,R Wx (x') eR[x]««' 
I :l^{xe R n \Ii(x) > OJi(x) G R[x] ri } 



(fi(x) - fjii(x) Initi(x) 

Xm(x) - C fl (pi(x) - 0i(x)li(x) 

7w<Pi{x) ~ - Ku>(x)Gu>(x) - <tw{x')R Wx (x') 

ipi(x) — e — rji (x) Unsafe/ (x) 



(19) 
(20) 
(21) 
(22) 



Proof Similar to Corollary [T] it's easy to prove that any set of polynomials 
{(fi(x)} satisfying ( 19 )— ([22]) also satisfies (11)-(14), hence the hybrid system EI 
is safe. □ 



The algorithm for computing the barrier certificates for hybrid systems is 
similar to the algorithm for continuous systems except that it needs to take into 







x 2 _ 





account the constraint (21) for the discrete transitions. We do not elaborate on 
it here any more. Note that the strategy for the selection of A's for continuous 
system applies here as well and we only need to set all the elements of *S 7 to 

1 except for the discrete transition whose post-state is independent of the pre- 
state, where we set ju> to to reduce the computational complexity. 

5 Examples 
5.1 Example 1 

Consider the two-dimensional system (from |7J page 315) 

x 2 

-x\ + \x\ - x 2 

with X — R 2 , we want to verify that starting from the initial set Xq = {x G 
R 2 |(xi — 1.5) 2 + £ 2 < 0.25}, the system will never evolve into the unsafe set X u — 
{x G R 2 |Oi + l) 2 + (>2 + l) 2 < 0.16}. We attempted to use both the method based 
on Convex Condition proposed in [14J and the method based on Exponential 
Condition in this paper to find the barrier certificates with a degree ranging from 

2 to 10. (Note that in [4], [22], the inductive invariants are not sufficient in general 
according to [21] and hence cannot be applied to our examples. The work of [19] 
applies only to a very special class of hybrid systems which is not applicable 
to our examples either.) During this process, all the programming polynomials 
are complete polynomials automatically generated (instead of the non-complete 
polynomials consisting of painstakingly chosen terms) and all the computations 
are performed in the same environment. The result of the experiment is listed in 
Table |5.1| The first column is the degree of the barrier certificate to be found, 
the second column is the amount of time spent by the method based on Convex 
Condition, and the rest columns are the amount of time spent by the method 
based on Exponential Condition for different value of A. Note that the symbol 
x in the table indicates that the method failed to find a barrier certificate with 
the corresponding degree either because the semidefinite programming function 
found no feasible solution or because it ran into a numerical problem. 

As shown in Table |5.1[ the method based on Convex Condition succeeded 
only in one case (Degree = 4) due to the conservativeness of Convex Condition. 
Comparably, our method found all the barrier certificates of the specified degrees 
ranging from 2 to 10. Especially, the lowest degree of barrier certificate we found 
is quadratic: <p(x) = -.86153 - .87278£i - 1.1358x 2 - .23944a;? - .5866xix 2 with 
ji{x) = 0.75965 and rj(x) = 0.73845 when A is set to —1. The phase portrait 
of the system and the zero level set of cp(x) are shown in Fig. 3(a)| Note that 



being able to find a lower degree of barrier certificates is essential in reducing 
the computational complexity. 



Table 1. Computing results for Convex Condition and Exponential Condition. Expo- 
nential Condition shows much stronger capability in finding barrier certificates. 



Degree 


Convex Condition 


Exponential Condition 


of 


Tirae(sec) 


Tirae(sec) 


ip(x) 






A = -l 


2 


X 


0.4867 


0.4836 


0.2496 


3 


X 


0.5444 


0.6224 


0.4976 


4 


0.4368 


0.4103 


0.4072 


0.3853 


5 


X 


0.4321 


0.4103 


0.3947 


6 


X 


0.3214 


0.3011 


0.2714 


7 


X 


0.9563 


0.9532 


0.9453 


8 


X 


0.9188 


0.8970 


0.7893 


9 


X 


1.4944 


1.4149 


1.5132 


10 


X 


1.4336 


1.3931 


1.3650 




Fig. 3. (a) Phase portrait of the system in Subsection 5.1 The solid patches from right 
to left are Xo and X u , respectively, the solid lines depict the boundary of the reachable 
region of the system from Xo , and the dashed lines are the zero level set of a quadratic 
barrier certificate <p(x) which separates the unsafe region X u from the reachable region. 



(b) Discrete transition diagram of the hybrid system in Subsection 5.2 



In addition, we can see from Table [5T] that the runtime of Exponential Con- 
dition-based method decreases with the value of A for each fixed degree except 
for Degree = 3, 9, this observation can greatly evidence our theoretical result 
about A selection: the less, the better. 



5.2 Example 2 

In this example, we consider a hybrid system with two discrete locations (from |13|). 
The discrete transition diagram of the system is shown in Fig.|3(b)]and the vector 



fields describing the continuous behaviors are as follows: 



/iW = 



x 2 

xi + (2x 2 +3x 3 )(l + x§) 



/ 2 (x) = 



x 2 



At the beginning, the system is initialized at some point in Xq — {x G M 3 |x^ + 
x\ + x| < 0.01} and then it starts to evolve following the vector fields f\(x) 
at location l(NO CONTROL mode). When the system reaches some point in 
the guard set G(l,2) = {x £ M 3 |0.99 < x\ + 0.0Lr| + 0.01x| < 1.01}, it can 
jump to location 2 (CONTROL mode) nondeterministically without performing 
any reset operation (i.e., i?(l,2,x) = G(l,2)). At location 2, the system will 
operate following the vector field f 2 {x\ which means that a controller will take 
over to prevent x\ from getting too big. As the system enters the guard set 
G(2, 1) = {x e M 3 |0.03 < x\ + x\ + x\ < 0.05}, it will jump back to location 
1 nondeterministically again without reset operation (i.e., i?(2, l,x) — G(2, 1)). 
Different from the experiment in |13| , where the objective is to verify that \x\ \ < 
5.0 in CONTROL mode, our objective is to verify that x\ will stay in a much 
more restrictive domain in CONTROL mode: \x\\ < 3.2. 

We define the unsafe set as Unsafe(l) = and Unsafe(2) = {x e M 3 |3.2 < 
|^i I < 10}, which is sufficient to prove \x±\ < 3.2 in CONTROL mode. Similarly, 
we tried to use both the method in this paper and the method in [14] to compute 
the barrier certificate. By setting Ai = A2 = — | and 712 = 721 = 1, our method 
found a pair of quartic barrier certificate functions: (j)\(x) and 02 (x), whose zero 
level set is shown in Fig. |4(a)| and Fig. |4(b)| respectively. As you can see, at 
each location I = 1,2, the zero level set of (f>i(x) forms the boundary of the 
over-approximation (j>i(x) < (denoting the points within the pipe) for the 
reachable set at location I. On the one hand, the hybrid system starts from 
and evolves within the corresponding over- approximation and jumps back and 
forth between the two over- approximations. On the other hand, the unsafe set 
does not intersect the over-approximation formed by ^(x) < (see Fig. |4(c) ). 
Therefore, the safety of the system is guaranteed. However, using the method 
in [14J, we cannot compute the barrier certificate, which means it cannot verify 
the system. 

6 Conclusion 

In this paper, we propose a new barrier certificate condition (called Exponential 
Condition) for the safety verification of continuous systems and hybrid systems. 
Our barrier certificate condition is parameterized by a real number A and the 
conservativeness of the barrier certificate condition depends closely on the value 
of A: the less value the A is, the less conservative the barrier certificate condition 
is. Specifically, Convex Condition is just the special case of Exponential Condi- 
tion with A = 0. Therefore, we can obtain the barrier certificate condition that 
is less conservative than Convex Condition as long as we set A to a negative 



<h(x) 



<|) 2 (x) and unsafe region 






(b) Cf>2 (x) = 



10 10 

(c) 3.2 < xi < 10, 02 (x) = 



Fig. 4. Barrier certificates 0i(x) and 02 (x) for the hybrid system in Subsection 5.2 



4>i{x) — (/ = 1,2) forms the boundary of the over-approximation <j>i(x) < and 
separates the inside reachable set from the outside unsafe set (e.g. 3.2 < x\ < 10). 



value. The most important benefit of Exponential Condition is that it possesses 
a relatively low conservativeness as well as the convexity and hence can be solved 
efficiently by semidefinite programming method. 

Based on our method, we are able to construct polynomial barrier certificate 
to verify very critical safety property for semialgebraic continuous systems and 
hybrid systems. The experiments on a continuous system and a hybrid system 
show the effectiveness and practicality of our method. 
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